Reinventing Remote Access with DirectAccess

Gavin CariusArchitectMicrosoft ServicesSVR311

Session Objectives And TakeawaysSession Objective(s)

Present DirectAccessExplain core DirectAccess technologiesReview connectivity options

Key TakeawaysVPNs connect the user to the network, DirectAccess extends the network to the userThree core technologies: IPv6, IPsec, and NRPTSmartcards are supported but not required

Cost Center More Efficient Cost Center

Business Enabler

Strategic Asset

Network Access Infrastructure Optimization ModelIs IT a Cost Center or a Strategic Asset?

No password policies

Perimeter Firewalls only

Antivirus not required or installed by default

No Remote Access policies

IPv4-only network

Strong password policy

Host-based firewalls

Security suite installed on clients

Remote Access available

IPv6 planning and testing in progress

Strong password policy

Basic IPsec policies

Health policies enforced

Remote user experience is similar

to local

IPv6 blockers removed, addressing

plan complete

Strong Authentication

Network transactions are authenticated; may be encrypted

Policy-based network access with auto-

remediation

Remote users are an extension of the

network

IPv6 is fully deployed

Datacenter Servers

Internet

Enterprise Network

Identity: Strong authentication required for all users

Authorization: Machine health is validated or remediated before allowing

network access

Trustworthy Networking Vision

Protection: All network transactions are authenticated and encrypted

Remote Client

Local Client

Policies are based on identity, not on location

Evolving IT Needs

Mobile Data

Globalisation

Increasingly

Porous Perimete

r

Mobile Workforce

DirectAccessSecurely extending network services and

resources to remote users

Always On

Improved productivity

Not user initiated

Simplified connectivity

Manage Out

"Light up" remote clients

Decreases patch miss rates

Applies GPOs to remote machines

Access Policies

Pre-logon health checks and remediation

Replaces modal "connect-time" health checks

Full NAP integration

DirectAccess is more than Remote Access

VPNs connect the user to the networkDirectAccess extends the network to the user

Protected Transaction

sSupports authenticated transactions

Supports encrypted

transactions

Authentication and encryption mitigate many

attacks

Connectivity: IPv6

Data Protection: IPsec

Name Resolution:DNS and NRPT

DirectAccess: Technical Foundations

Connectivity: IPv6DirectAccess requires IPv6If native IPv6 isn't available, remote clients use IPv6 Transition TechnologiesThe corporate network can deploy native IPv6, transition technologies, or NAT-PT

IPv6 Options

DirectAccess works best if the Corporate Network has native IPv6 deployed

IntranetInternet

NAT-PT

Native IPv6

IPv6 Translation Technologies

IPv4

Data Protection: IPsecIPsec tightly integrates with IPv6, allowing rules engine to determine when and how traffic should be protected

End to edge End to end

End to edge End to end

Name Resolution: DNS and the NRPT

Remote DirectAccess clients utilise smart routing by defaultThe Name Resolution Policy Table allows this to happen efficiently and securelySends name queries to internal DNS servers based on pre-configured DNS namespace

DirectAccess Connection

Internet Connection

Technical Detail

External ConnectivityNative IPv6 supportPublic IPv4 addresses will use 6to4 to tunnel IPv6 inside IP Protocol 41Private IPv4 addresses will use Teredo to tunnel IPv6 inside IPv4 UDP (UDP 3544)

If client cannot connect to DirectAccess Server, IP-HTTPS will connect over port 443

IP Address Assigned by ISP:

Public IPv4

DirectAccess Client

IPv6 Address Used to connect:

6to4Private IPv4

Native IPv6

TeredoNative IPv6

Native IPv66to4

Teredo

IP-HTTPS

Internal IPv6Native- Servers can run any OS that

fully supports IPv6- Requires IPv6 infrastructure- Best choice over timeISATAP- IPv6 inside IPv4- Servers must be Windows

Server 2008 or R2- No router upgradesNAT-PT- Translates IPv6 to IPv4- Works with any OS- UAG has this built in

IPv6 Options

DirectAccess works best if the Corporate Network has native IPv6 deployed

IntranetInternet

NAT-PT

Native IPv6

IPv6 Translation Technologies

IPv4

DirectAccess ServerDirectAccess Client Internet

IP-HTTPS

IPsec Gateway

Encrypted IPsec+ESP

Encrypted IPsec+ESP

External IPsec

IPsec Hardware Offload Supported

Enterprise Network

DirectAccess Server Line of Business Applications

No IPsec

IPsec Integrity Only (Auth)

IPsec Integrity + Encryption

Internal IPsec

DirectAccess Server

DirectAccess Client

Tunnel 1: Infrastructure TunnelAuth: Machine Certificate

End: AD/DNS/Management

Tunnel 2: Application TunnelAuth: Machine Certificate + (User Kerb or

Cert)End: Any

IPsec Tunnel Detail

NRPT

Client side onlyRequires a leading dotStatic table that defines which DNS servers the client will use for the listed namesConfigurable via GPO at Computer Configuration |Policies|Windows Settings|Name Resolution PolicyCan be viewed with NETSH name show policy

NRPT

.ad.contoso.com 2001:db8:b90a:c7d8::1782001:db8:b90a:c7d8::183

.lab.contoso.com 2001:db8:b90a:c7a8::202

sql01.acme.com.au

2001:db8:b90a:c7e4::801

Two Factor Authentication (TFA)

Not required; fully supportedEdge based enforcement: a smarter way to enforce TFAUser is assigned a well-known SID when they log on with a smartcard

S-1-5-65-1

User may logon to laptop without TFAWhen user accesses corporate resources, IPsec authorization policy checks for this SIDIf SID is not present…

Requirements for DirectAccess

KnowledgeShould have a basic working knowledge or IPsec and TCP/IPShould be interested in learning about and deploying new technologies, such as IPv6

DirectAccess ClientsWindows 7 Enterprise or Ultimate SKUDomain-joined machines

DirectAccess ServerWindows Server 2008 R2, domain-joined machinesLocated at edge

Requirements for DirectAccessDNS Servers supporting DirectAccess clients must be Windows Server 2008 SP2 or laterApplication Server

End to end IPv6 or Ipsec requires Windows Server 2008 or laterEarlier server versions require NAT-PT

PKI for certificatesNo dependency on Active Directory version/mode

• Extend Windows DirectAccess to legacy applications and resources running on existing infrastructure.

• Support down-level and non Windows clients through integrated SSL VPN capabilities and other connectivity options.

Anywhere Access

• Protect the DirectAccess gateway with a hardened edge solution.• Limit exposure associated with connecting unmanaged, down-level and

non-Windows clients through granular application access controls and policies.

Integrated Security

• Minimize configuration errors and simplify deployment using built-in wizards and tools.

• Enhance scale and ongoing administration through built-in array management and integrated load balancing

• Consolidate access gateways for centralized control and auditing.

Simplified Management

Forefront Unified Access Gateway (UAG) extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability and simplifying

deployments and ongoing management.

UAG and DirectAccess – Better Together

SSL-VPN

SSL-VPN

{

Windows Server 2008 R2DirectAccess Server

+

Man

ag

ed

Windows 7

Always On

Windows Server 2008

R2

Windows Server 2008

R2

Windows Server 2008

R2IPv6 IPv6

Windows Server 2003Legacy

Application Server

Non Windows Server{PDA

Windows Vista/

Windows XP

Non-Windows

Unm

anaged

UAG and DirectAccess better together:

Access for down level and non Windows clients

Enhances scalability and management

Simplifies deployment and administration

Hardened Edge Solution

UAG and DirectAccess – Better TogetherExtends access to line of business servers with IPv4 supportAccess for down level and non Windows clientsEnhances scalability and managementSimplifies deployment and administrationHardened Edge Solution

IPv6or

IPv4IPv4

Building “End to End Trust”

(Optional) Two factor AuthenticationDomain Controller authenticated logonCached credentials are only used if machine is offline

Identity + Authentication

Access ControlIdentity-aware firewall (Auth-firewall)IPsec (At the network layer)File Share permissionsNTFS Permissions

End-to-end authentication allows remote client connections to be logged by each server

Authorisation Policies

Audit

Define access, encryption, or authentication policies on a per server or application basisThese rich policy constructs are far beyond traditional VPN

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

COMPLETE YOUR EVALUATION FORMS IN COMMNET AND BE IN TO WIN ONE OF THE 150 DAILY PRIZES*

GIVE US YOUR FEEDBACK & WIN INSTANTLY!

*For full terms & conditions and more information, please visit the CommNet Portal.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.